[c-nsp] PIX questions

Ziv Leyes zivl at gilat.net
Tue May 13 02:14:03 EDT 2008


You must understand that the NAT is being performed on a "from-->to" basis, that is why the command is "static (inside,outside)" so if the NAT is between inside and outside you can't hit it when coming from the dmz, for this to be achieved you should use a "static (inside,dmz)" command, but then, you won't have the needed translation towards the outside, I think you can't enjoy both worlds... Besides, what's the problem having the outside hosts use the public IP address and the dmz hosts use the inside IP address for accessing the severs?

Ziv

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Gregori Parker
Sent: Monday, May 12, 2008 8:35 PM
To: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] PIX questions

I was hoping to see an answer to this, as I ran into what I believe to
be a similar situation a while back.

We had an ASA at an edge, with several static identity NATs, e.g.:

        static (inside,outside) x.x.x.78 172.16.8.44 netmask
255.255.255.255
        static (inside,outside) x.x.x.79 172.16.8.45 netmask
255.255.255.255
        ...

Where x.x.x.* are public addresses, and an access-list allows specific
services from anywhere to each public NAT.  All outgoing traffic is
PATed to the interface address, say x.x.x.80, and I'm not clear on how
to enable a host on the inside to communicate with an identity NAT on
the outside...essentially the ASA would be doubling up on translations,
one outgoing, to one inbound...looping back to itself so-to-speak.  It
doesn't work, and I understand why, but I've wondered if there's a way
to enable this (other than having the hosts communicate directly).  I've
looked at things like permitting same-security-traffic
inter/intra-interface to no avail.

Thanks in advance (and sorry if I woke a dead thread)


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Rudy Setiawan
Sent: Friday, May 09, 2008 12:05 AM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] PIX questions

Hi all,

I have a question about PIX translation

An outside interface has IP address:
192.168.1.2 255.255.255.0

An DMZ interface has IP address:
10.1.1.2 255.255.255.0


Current translation:
10.1.1.3 -> 192.168.1.3
10.1.1.4 -> 192.168.1.4


How can I make it so that 10.1.1.3 is able to ping the IP "192.168.1.4"?
How can I make it so that anyone behind 10.1.1.0/24 network is able to
ping the IP "192.168.1.4"?

Consider the ICMP is allowed any any.

I tried to configure it but the ASDM log say
"Deny IP Spoof From 192.168.1.2 to 192.168.1.4 on interface outside"

Thank you for your help in advance.

Regards,
Rudy
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/





************************************************************************************
This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses.
************************************************************************************





 
 
************************************************************************************
This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses.
************************************************************************************




More information about the cisco-nsp mailing list